What to do if your Website is Hacked: A Disaster Recovery Plan

website-hacked

Thousands of websites get hacked on a daily basis. Actually, thousands out of the many billions of websites on the Internet is quite a low percentage, but if you got unlucky and your website is among those, you need to take it seriously, and respond to the threat quickly and wisely.

Unfortunately, very often, website owners are 100% sure that they won't ever be a victim, and do not have a valid disaster recovery plan for such cases. Or, if they do, the plan consists of just one bullet point:

  • I was unlucky and the plan is to shut down my business.

In this article, I cover that gap and offer you a solid disaster recovery plan if your website got hacked.

Once Upon a Time, a Website Got Hacked…
Hacker activity can be diagnosed on a website using direct and indirect methods by visitors, webmasters and hosters. Very often, in such situations, website owners accuse their hosts of providing a low quality of server administration service, or with not providing good hosting account protection.

My advice is, do not jump to conclusions too quickly.

From my experience, most hacker attacks are happening because webmasters do not follow basic website safety precautions. Moreover, any recovery plan must be based on establishing good partnerships and relationships with your host. This helps to resolve issues faster and avoid reinfections.

So, if your website was hacked, do these actions immediately:

1. Before going ahead and restoring your website from backup, collect information about the attack, so you or security specialists can analyze it later and find out how the attackers got in.

  • Ask your hosting technical support to provide server logs for the relevant period. You should request the following logs: access_log, error_log (web server logs, FTP connection and file operation logs), SSH/SFTP connection and file operation logs, control panel action logs, and a copy of the contents of the /var/log folder (for VPS-hosted accounts).
  • Make notes of any website issues, including any anomalies you can find, such as main page defacement, spam pages/emails, redirects, blacklisting, new and unrecognized files, etc. Also note the approximate date and time of observations.
  • If you have enough disk space, pack the infected version of the entire website before you make any changes or cleanup attempts.

Based on the collected information you can try to determine the reason for the infection. For example, you can check the .htaccess file modification date, and by checking the FTP log, you can find out that the website was hacked using FTP, usually because the FTP password was too weak or was stolen. In general, forensic analysis may be a tough thing to do on your own, so if you are not sure how to proceed, it is better to contact security specialists.

2. Investigate all workstations used to interact with the website by scanning them with a commercial antivirus product. This will help you get rid of any potential trojans or keyloggers.

3. Change all your hosting related passwords for email, the hosting panel, any website CMS admins, FTP/SFTP/SSH users, and database users. It is highly recommended that you set complicated passwords having lower and upper case letters, digits, and more than 7 characters long.

4. If the website stopped working, restore it using a recent backup.

What if I don't have a backup?
First of all, don't panic. There may still be one without you knowing about it. Contact your host and check if they have any backup copies. Very often, even if backup services are not included in your hosting plan, the host can restore your website from their own server backup for a reasonable fee (saving you a lot of time and money).

There is also a high chance that you can restore some data using vendors' packages for your CMS and extensions/plugins. And your web developer might also have a backup.

In other words, even if your website was defaced, completely wiped or heavily damaged by attackers, there is a good chance that you can restore it to some previous state. Explore all available options carefully.

I recovered my files—what next?
Now that you have got your files back (if they were damaged or removed), you need to check your website for malware and get rid of it as soon as possible (without forgetting the steps above). Before the infection can be identified and cleaned, I recommend that you temporarily disable any advertising scripts on your website, to prevent being banned from the advertising network. It also lessens the chance of an attack coming from scripts or advertisements on the advertising network (so-called 'malvertising').

I recommend following this 4-step strategy:

1. First of all, you have to identify where the infection is (e.g., database, script files, .php code, etc.) and remove it. Infection might be presented as some static code in the .js file (usually at the beginning or end of the file), or bad code can be injected onto website pages in the database. Besides that, a virus can dynamically generate malicious contents using PHP scripts, or the hack can even be present on the web server side if the whole host is compromised. You also need to check your DNS configuration and settings. In some cases, your registrar account might get hacked and attackers can forward the web traffic to your website through their malicious proxy, injecting some 'malvertising' content on the way. In summary, you need to check any side services that are used on your website, and any that allow customization, like Google Tag Manager (GTM), for example. (There have been cases when a Google account was compromised and attackers added a malicious payload as a custom script in GTM.)

2. You need to close or patch all software vulnerabilities on your website. If you can not do that right away after the cleanup, you can ask your host to temporarily put your website into read-only mode. This should prevent reinfections while you are working on the resolution

3. If you have any other websites hosted on the same hosting account, you should perform all cleanup steps and checks on all websites on the hosting account. Otherwise, infected neighbors can quickly reinfect your freshly-cleaned website.

4. Do all checks and change all your passwords after everything has been cleared, as mentioned above.

Conclusion
A significant level of technical experience and effort is required to recover websites and clean them from malware. There are many pitfalls that must be taken into account when cleaning up malware, so if you have any difficulties removing malware, or if your website is constantly being reinfected, please do not hesitate to contact us. Imunify360 can help you to resolve such issues flawlessly. It will also help you to prevent future attacks on your hosting account.

P.S. I will look at manual malware cleanup steps in forthcoming articles, so watch this space! 

Written by Andrey Kucherov, Malware Analyst at Imunify360

Revisium Antivirus becomes ImunifyAV in Plesk
Black Friday Phishing, Anyone?
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Wednesday, 19 December 2018

Captcha Image